How Not to Unsubscribe

Is it safe to use an 'unsubscribe' link to stop getting e-mail from a particular sender? Or will clicking the link just get you more spam? Datamation's Executive Tech columnist has some surprising answers.

Is it safe to use an "unsubscribe" link to stop getting e-mail from a
particular sender? Or will clicking the link just get you more spam?

One firm's executives have studied this question extensively — and
the answer they found is very likely to surprise you.

To Unsubscribe Or Not To Unsubscribe

I've often decried as an urban myth the idea that clicking an unsubscribe
link would get you more spam. For example, I wrote this on
March 21, 2003: "Legitimate e-mail newsletters
do honor unsubscribe requests, but most spammers don't honor them or use
them in any manner, if their unsubscribe links even work."

My reporting on this subject was based on controlled studies of spam,
such as an April 2002 report by International Netforce. This intergovernmental
group is a joint effort of several U.S. states, the Federal Trade Commission,
and four Canadian agencies to sue Internet scammers of all kinds.

The task force tested the unsubscribe mechanisms that were touted in a sample
of the 10 million unsolicited e-mail messages that the FTC has amassed in its
huge spam database. What did they find? The "vast majority" of the unsubscribe
links in these spam messages didn't work in any way, shape or form.

Now I have fresh information on the slimy, deceptive use of unsubscribe links.
I've found a small, high-tech firm that's conducted new, in-depth tests. Out
of the tens of thousands of messages the researchers examined, a tiny
minority of the unsubscribe pages actually are collecting e-mail addresses and
then sending spam to the victims they've snared.

Fortunately, you can almost completely avoid such despicable links. Here's how.

A Dime A Day Keeps The Spam Away

Lashback LLC is the name of the firm that's conducting this research. This
self-financed startup employs eight people and supports more than 10,000
subscribers. The company sells a service named — what else? —
Lashback for $29.95 per year, a little under 10 cents a day.

• Lashback Users Click The Button.
The company's downloadable software integrates itself into Microsoft's Outlook
and Outlook Express e-mail programs. Once the applet is installed, the user
sees a Lashback button that promises a safe way to unsubscribe from any
e-mail list, whether it's spam or not.

• Spam I Am.
Clicking the button sends the unwanted message to the user's Spam folder,
where it will sooner or later be deleted. (The software can alternately be
configured to send such messages directly to the Trash folder.) At the same
time, the message is zipped to Lashback headquarters for analysis.

• Who's Naughty And Nice.
Lashback's computers then invent a new, unique e-mail address and submit it to
any "unsubscribe" form that the e-mail may link to. An innocent e-mail
response — such as "You are confirmed to be unsubscribed," or no response
at all — is considered a good sign. But if anything else is spewed
to Lashback's unique address, the site is put on the company's list of
"Abused Unsubscribe Links."

• Blocking The Spammers.
When an unsubscribe mechanism proves to be genuine, Lashback (after a decent
interval) submits the user's real e-mail address and the user therefore
gets off the list. Fine. If the mechanism was just a way for a spammer to
collect e-mail addresses and send more spam, however, Lashback diverts all
such messages in the future directly to the user's Spam folder, where the
user will probably never have to deal with them again.

• If It Looks Like Spam...
Lashback's method of diverting spam is unique among all the approaches I've
seen. Because spammers are constantly changing their "from" address and other
identifying characteristics, Lashback doesn't rely solely on these indicators.
Instead, the company records the names of Web sites that advertise in
messages that have bogus unsubscribe mechanisms. All spam is ultimately trying
to sell you something or make you visit some Web site or another. It doesn't
take long for Lashback to figure out which sites those are, according to
Brandon Phillips, the company's president.

Keep Your Company Off The Abuse List

Recognizing certain Web sites as "sure signs" of spam is an approach that
has gigantic implications for both legitimate companies and shady ones.

• Are You Sure Your Mechanisms Work?
A July 2004 study by Arial Software, an e-mail software publisher,
found that an astonishing 51% of e-mail newsletters from otherwise legitimate
companies failed to include an unsubscribe link anywhere within their messages.
Arial quietly subscribed to newsletters from
1,057 well-known business organizations, including most
of the Fortune 500, and then examined the resulting e-mails to reach this
depressing conclusion.

• Guilt By Association.
If your company's Web site is hyperlinked within one of these blue-chip
newsletters that doesn't have a working unsubscribe mechanism, future
e-mails that also link to you may be filtered out as "spam."

I think the lesson is crystal clear. If you care whether e-mails that
mention your company's Web site get delivered, make sure any online publication
you're associated with has an unsubscribe link, and one that really works.

How To Avoid Those Bogus Unsubscribe Links

At this writing, Lashback has tested 27,719 separate unsubscribe
links that were included in various e-mails the company has processed. The
resulting statistics appear prominently on the firm's
home page: only 484
(1.7%) are "abused links" that will send you more spam if you enter your
e-mail address. Another 2,712 (9.8%) are "dishonored" links, which
appear to function but don't actually accomplish anything, good or bad.

Your task as a computer user is to avoid the 1% of unsubscribe links
that are in fact operated by spawn of the Devil.

Outing The "Abused Unsubscribe Links" Index

You can steer clear of these sites by using the list of "Abused Unsubscribe
Links" that Lashback has built up through its testing methodology. Because
this grand experiment has had a lower priority than marketing the company's
primary revenue source (its $29.95 service), the abuse list has never before
been publicized. There's no link to the list on the company's home page and,
according to the Google.com search engine, not a single other site on the
entire Internet links to it, either. You're reading it here first.

The list resides at
www.lashback.com/abuse. On that page, click the "View List"
hyperlink and you'll see the entire Hall of Shame.

Lashback CTO Eric Castelli says his company has been monitoring some of the
operations on the list since January 2004. A figure entitled "Violations
To-Date" is shown for each link. This number represents the sum total of
all the unsolicited e-mails that Lashback's unique addresses have received
since August after using each site's unsubscribe form.

This payload can be weighty. The top offender on the list has reportedly sent
Lashback more than 1,400 messages in August and September alone.

E-mail administrators in legitimate companies should download Lashback's list
periodically and then block user access to the unsubscribe forms on the
allegedly spam-happy Web pages. Once that blocking policy is in effect, users
can follow a very simple set of rules:

• Do unsubscribe from any ordinary, authentic e-mail
newsletter that you may once have subscribed to but now no longer want;

• Don't bother unsubscribing from spam messages, just delete them,
because in almost every case the unsub link won't work — there's simply
no good way to get off a spam list; and

• If you can't tell whether the message in front of you is a
respectable e-mail newsletter or spam, go ahead and click its unsub link.
Your company's blockade of the 1% that are bogus will protect
you from making an error.

I'll have more next week on the entire unsubscribe mess and what Lashback
and other companies are doing about it.

Please enable Javascript in your browser, before you post the comment! Now Javascript is disabled.